The aim of cryptography is notably to protect:                either the secrecy of information by means of encryption and its dual operation, decryption;        or only its integrity, by the operations of signature and signature verification.        
Cryptography uses mathematical methods that are secure, in the sense that in the current state of published knowledge there are no methods of attack faster than exhaustive attack corresponding to trying all possible keys.
In general, encryption methods involve complex calculations necessary for systems security. This complexity does not pose any particular problems to computers but it constitutes a drawback in the case of mass-market devices not comprising high calculation power, in general controlled by low-cost microprocessors. The consequences may then be of several kinds, thus for example a bank card would take several minutes to sign a transaction or a pay-per-view television digital decoder might not follow the throughput of information involved.
To alleviate this type of problem without increasing the price of systems, it is customary to append an aid to the central unit controlling the device, in general in the form of a coprocessor dedicated to cryptography.
However, whether it is implemented by the central unit or by a specialized coprocessor, the cryptography algorithm is in all cases implemented by a physical, electronic device. Electronic devices exhibit inevitable imperfections related to the inherent properties of the laws of electricity.
Thus, cryptographic systems which are secure from the mathematical point of view may be attacked by utilizing the imperfections of the physical systems implementing the algorithm. The duration of the calculations may depend on the values of the data, in particular on time-optimized software systems, and this may give rise to attacks of “timing attack” type making it possible in certain cases to retrieve all the secret keys on the basis of simple measurements of execution time. The instantaneous electrical consumption may also depend on the data, and this may give rise to series of attacks such as:                SPA (Simple Power Analysis) which attempts to differentiate the operations executed by a central unit on the basis of a measurement of its electrical consumption measured during a cryptographic operation;        differential analysis of consumption DPA (Differential Power Analysis) which uses statistical operations on numerous measurements of electrical consumption, which are performed during cryptography operations on random messages and with a constant key to validate or invalidate an assumption made on a limited part of the key;        attacks of “template” type which in a first phase use a device identical to the attacked device, except that this identical device does not contain any secret, to construct consumption models indexed by the value of a limited part of the key and in a second phase use a few measurements of consumption of the attacked device to determine the model whose measured consumptions are the closest and thus determine the value of this sub-key.        
Moreover, any electrical current flowing in a conductor engenders an electromagnetic field, measurement of which can give rise to attacks identical in principle to attacks pertaining to electrical consumption, notably by DPA.
Finally, so-called active attacks, or fault injection attacks, disturb the operation of systems so as to utilize the false results to retrieve the system's secrets.
Any imperfection of a physical device implementing a cryptography algorithm and liable to leak information related to the secrets held in the memory of the device is called a “hidden channel”.
Fault attacks are active attacks that may be very different in nature, as explained notably in the article by David Naccache “Finding faults”, IEEE Security and Privacy, 3 (5), pages 61-65, 2005: temperature or voltage variation, strong spurious signal on the power supply or by electromagnetic field, laser firings, etc. The consequence of the faults generated is to modify the value of a node of the attacked circuit. They may be single or multiple, permanent or transient depending on the impact on silicon. The flexibility of transient fault injections gives rise to more powerful attacks by making multiple tries and thus increases the chances of success. Attacks with single faults simplify the attack procedure. Fault attacks are based on differential analysis between the non-erroneous encrypted output and the output with fault. For example, the attack presented in the article by Gilles Piret and Jean-Jacques Quisquater “A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD”, in CHES, volume 2779 from LNCS, pages 77-88, Springer, 2003 on AES encryption turns out to be extremely effective if the fault arrives at the penultimate or at the antepenultimate round.
Fault injection attacks have, hitherto, and very paradoxically, been considered to be expensive, and therefore accessible in practice solely to financially strong suspicious organizations. It is now possible to order on the Internet a decapsulation station and a turnkey tunable laser bench. It follows from this that the likelihood of an attack by fault injection is considerably increased. Thus, a cryptoprocessor implanted in an integrated circuit, for example an FPGA, can only henceforth be considered secure if it simultaneously implements countermeasures to observation attacks, notably of DPA or EMA types, and attacks of fault injection type. Moreover, attacks combining observation and faults have been proposed, like that described by Bruno Robisson and Pascal Manet in their article “Differential Behavioral Analysis”, in CHES, volume 4727 from LNCS, pages 413-426, Springer, 2007.
An effective countermeasure for combating this type of attack relies on employing redundancy. For example, a calculation block may be reproduced three times and a majority function thereafter makes it possible to eliminate the block where a fault is injected. One of the drawbacks of this solution is that it involves an additional cost due to the reproduction of the calculation block or blocks or else to the insertion of a consistency checking module based on verification of invariants.
Another countermeasure consists in detecting fault injection. In this case the user is alerted and can act to protect himself, by reinitializing the system for example.